Rotten phish: Scams travel by text messages, too

smile, you son of a b!!!!
This online phish is predatory, but it’s not that smart. Still …

Another day, another scam.

I’ve been getting text  messages from some outfit called Contact Achieve, and when I called back I picked up some real bad smell.

It smelled like rotten phish.

It’s from some company that calls itself Achieve, and according to the Federal Trade Commission it’s pure scam. But I’m getting ahead of myself here.

On Jan. 18 I received a text from Achieve Card. Two texts that day, one at 6:51 pm and another five minutes later. Actually had at least one text before that but I chose to ignore it.

But in that pair of texts I was given a number (601-633-0010) to call. So I did, and caught a recording. Upshot was that they were the Achieve Card help desk, and my prepaid Visa debit card had limited security access due to a security error. Then they gave me  the first few digits of my card number and wanted me to punch it in on the keypad.

Uhh, no thanks. I may have been born in the dark, but it wasn’t last night.

So I wrote the information down and called that recording again to make sure I had it right. Hey, if you’re after a story you want to make sure you have it right.

A couple of red flags right away. The biggest is that I don’t have a prepaid Visa card. I do have a Visa debit card that’s attached to my bank account, but the partial number didn’t match.

I do have a prepaid debit card (which I use for a couple of jobs that pay cash), but it’s an American Express and the numbers still don’t match.

Plus I’ve never heard of that company.

Not only are they crooked, but they’re idiots.

Listen, it’s not unlike some emails I got from some outfit claiming to be PayPal. Except they kept using email addresses that are not attached to my PayPal account. I related the whole sordid tale here, and it’s worth your while to check that one out. It’s a million laughs unless you fell for it.

Let’s bring this thing forward, shall we? Just a few minutes ago (I wrote this a little after 5 pm Jan. 21) I got another text message. This one was also from Achieve, and according to my readout the text message went out at 9:18 p.m. on Jan. 17. So it must have gone into some queue, to be released at the most inopportune time.

Just because I feel like making trouble (who, me?) I tried their callback number. That’s 832-984-9427 in case you’re interested) and got a different recording. From the Federal Trade Commission, no less. Maybe it was and maybe it wasn’t, but the message was quite interesting nonetheless.

According to that recording, that callback number has been disconnected because the FTC divined that it was a scam, and a number of folks got emails and text messages in the so-called company’s trolling efforts.

They can shut it down? How interesting.

The recording went on to explain that it was an attempt at phishing, sending out bogus texts or email to talk you into giving up your valuable  banking information so they can steal your identity. Their advice: Don’t do it.

Well, duh.

In addition I was referred to a website, onguardonline.gov, which is supposed to be an FTC site on dealing with scams. I checked it and it looks pretty legit to me, enough for me to subscribe to the RSS feed.

Just for gits and shiggles I tried that first Achieve number again and got a fast busy signal. So apparently that’s been shut down too.

So scratch one scammer. But they’re like cockroaches. Kill one and a thousand more come to its funeral.

Hey, you know the deal. Don’t give out your bank card numbers online or over the phone unless you initiated the call, and even then crank up your BS detector as high as it will go. I also have some other precautions, which I listed here. Check that out while you’re at the computer reading this. That in itself is worth the price of admission.

Do I expect people to wise up?

No way. A few might if they’ve been burned often enough or if that aforementioned BS detector is fully functional. But hey, y’all be careful out there.

In the meantime, enjoy your computer. Have fun checking out Facebook, Buzzfeed and those cat videos. Feel free to read your news online (including this blog). Buy books from Amzon (including mine, heh-heh) Do your shopping online. Use the Internet to make a living. Use the online tools to run several aspects of your life by remote control (like my own use of online banking). It’s safer than it once was, it’s convenient, it’s a Godsend.

But again, be careful.

# # #

What say you? Have you run across this Achieve outfit? How about that PayPal email scam? Any other stories? Please share in the comments, and don’t spare me any of the gory details.

Share

Sidebar: Protect that computer information and thank yourself later

While writing today’s piece on yet another phishing attempt by someone claiming to be PayPal, a few things came to mind and they deserve a blog entry on their own. I’ll include them in this sidebar.

Off the top of my head, I listed a few measures you can take to protect your computer and your online information — in fact, your whole identity — from being stolen.

This gets even more important as we use the Internet for more important aspects of daily life, such as moving money around.

Most of these tips are common sense, but those are sometimes the hardest ones to remember and implement.

Here’s a sampling:


  • Choose your tools carefully. If you use Internet Explorer, take that icon off your desktop right now and surf with a different browser. Chromium (an open-source version of Google Chrome) is good, as are Firefox and Opera.
  • Keep that browser updated.
  • Be careful about passwords; PayPal_Andy’s advice of having a designated password for each site is highly recommended, even though I’m guilty of using the same passwords for more than one site.
  • Don’t open any attachments if you don’t know the sender.
  • Be wary of attachments from someone you know; zap it with your virus and malware protection tools before you open it.
  • I’d also be wary of links sent by email, especially when they’re shortened through bit.ly or some other service. Also be careful of links posted on your favorite social media sites; you can click on some malware real easily that way. I’ve seen malware propagate among everyone on your friends/followers lists, making them the gift that keeps on giving.
  • You do have virus protection, don’t you? You do keep it updated, don’t you? Virus protection that’s not kept up to speed is totally worthless.
  • Grab some spyware protection, too. For that I recommend Spybot Search And Destroy.
  • Be careful about using public wireless for any business involving money; it’s too easy to tap into your information that way.
  • If surfing in a public place, watch for anyone behind you or sit with your back against a wall. I know this sounds goofy, but when some lowlife is trying to grab your information the low-tech ways are often the most effective.
  • Don’t let me scare you or anything.

If you use a smartphone:

  • Guard it with your life. Even if you want to be a good neighbor and help someone in a pinch, don’t let that person “hold” your phone. It’s too easy for him to snatch it and run. Most smartphones carry way more information than you’d think, and most of it can be found in seconds.
  • Be careful about dropping or leaving your phone somewhere. Same reason.
  • I use a lanyard from an old mp3 player and attach it to my phone holster. The other end is attached to a small carabiner, which I clip onto a belt loop. The holster’s flap is closed when I’m not using the phone. That way, if the holster falls off (happens more often than I’d like to think) or someone tries to snatch it off your belt, you’d know immediately.
  • Stay aware of what’s around you, even if you’re texting or playing whatever brain-sucking smartphone game is hot these days. I’ve heard of folks stealing someone’s phone while the person is using it.
  • Two words: Password protection.

If you can think of any other means of protecting your information, share in the comments section. I’ll be glad to include it. Let’s watch one another’s backs.


Share

Sharks in the phishing hole: That email isn’t really from PayPal

smile, you son of a b!!!!
If you conduct your business online, make sure you don’t put any blood in the water …

Much of my life is automated via the Internet. I do my work, pay my bills and buy things online. Shoot, I haven’t been inside a bank in two years because all this is done over the ‘net. I even have an account with one bank that operates completely online, without a brick-and-mortar branch within sight.

This is great in most circumstances but it sure leaves me open to all sorts of security glitches.

If you’re reading this on your computer, you may be in that same boat. Of course you have an Internet connection. You might buy things online, pay your bills through the Internet or even govern your whole life through a coaxial cable or wifi connection. It’s great, it’s convenient, and sometimes it’s dangerous.

I received more confirmation of this danger the other day when I checked my email. It’s allegedly from PayPal, and it carries all sorts of dire warnings.

The email that set stuff off

Here’s the note, in its entirety but with the account ID deleted. Other than that, I kept the capitalization and spacing (this part’s important) just as you see it here:


Your account has been limited Paypal ID PP-xxx-xxx-xxx

Service@paypal.com

Identity issue PP-xxx-xxx-xxx

Please complete the attached form to verify your Profile information and restore your account access.


Personal Information Profile

Make sure you enter the information accurately, and according to the formats required.

Fill in all the required fields.

Dear customer ,

As part of our efforts to provide a safe and secure environment for the online community, we regularly screen account activity. Our review of your account has identified an issue regarding its safe use. We have placed a restriction on your account as a precaution.

To lift the restriction we will require some further information from you.

If, once we review your further information and we’re convinced that the use of your account does not present a safety risk to our service and customers, we’ll be happy to reinstate your account.

We have sent you an attachment which contains all the necessary steps in order to restore your account access. Download and open it in your browser. After we have gathered the necessary information, you will regain full access to your account.

We thank you for your prompt attention to this matter.

Very sincerely,

PayPal Review Department.


There’s an attached document that came with this note.

Did I download and open it?

Uhh, noooo … forgive this journalistic lapse, but I’m really not as dumb as I look.

Things that made me go h’mmm …

PayPal
Watch it if you get an email purporting to be from these guys.

There were a couple of red flags that went up right away.

One of those red flags was the address this email went to. I have six email addresses, and two of them (my Gmail addresses) are attached to my PayPal account. But this email went to two addresses that have nothing to do with PayPal, and both are under my ericpulsifer.com web domain.

Now understand the importance of this. PayPal uses your associated email address to make all transactions. That means if you use that service and want to send me money (hint hint) you’ll send it through the email address associated with it.

(So if you’re feeling generous, crank up your PayPal and my email address is epulsifer@gmail.com. Be sure and send it in small unmarked bills and I’ll be real happy.)

All my PayPal communications go through that one Gmail address. So to receive this email through one of my business (non-Gmail) addresses gives me pause right away.

This gets really suspicious when I get simultaneous emails to different boxes under the same domain name.

While the email’s reported sender is Service@PayPal.com (with the capitalization just as you see it here), the actual email address is security@info.com. Now, how suspicious is that?

I checked my PayPal account and found nothing even resembling the account ID number listed in the email. I do have a merchant ID number, but it’s not even close. Could be that I’m not looking in the right place, but I don’t think so. Paypal’s ID is basically your email address. Got that?

After receiving the email I checked my PayPal account right away. Everything was copacetic. I was able to access it like I always have, without restrictions. So you know the sender was trying to baffle me with BS.

Chasing the story

Being the troublemaker that I am, I ran a Google search using the phrase “paypal restore account information email” and man, did I get a pantload of results. None of them carried good news either, but it was highly educational.

Just from looking at the first page of the search results, I saw this scam has been kicking around since 2006.

According to consumerfraudreporting.com, PayPal will never send you an email without putting your name on it. In other words it will be “Dear Eric Pulsifer,” not “Dear customer.” And you can bet they won’t leave a space between “customer” and the comma in the greeting; this just tells me it’s just some guy sending these emails from some basement somewhere.

Oh, yes. According to my research, PayPal doesn’t send attachments. I know I’ve never seen one from them. Forget it.

I checked on the PayPal community forum, and found some more revealing information. Several users reported similar emails and the forum administrator, who identifies himself as PayPal_Andy (I’ll assume he’s an employee) wrote this:

First, I’d recommend running a virus scan just to make sure you didn’t pick up anything unsavory when you clicked there. If everything’s fine (or once it is), I would recommend going to PayPal and changing your password and security questions through the ‘Profile’ link. Make sure this password is brand new and you haven’t used it anywhere else and you should be fine. Just keep an eye on your PayPal account for any unauthorized charges, and if you see any, let us know ASAP.

Andy

Sound advice. It’s common sense, but you can ride with the assumption that the phisherman probably snagged some of your information before sending that email. Change your password immediately just to make sure.

By the way, Andy posted his response in August 2011, so you know this scam is an oldie but goodie. But phishers and other off-brand types wanting to access your valuable information tend to stick with a winning formula.

If you get that email …

Generally, if you have an issue with access to your PayPal account, you can do all the fixing through the actual site. They have a “resolution center” where you may or may not get immediate answers, but it’s sure a lot safer than downloading/filling out an attached form you got from some random person and sending it via email.

Consumerfraudreporting.org suggests forwarding any fraudulent PayPal email to spoof@paypal.com — which I just did as I was researching and writing this piece. Here’s what I wrote:

I received this at two separate email addresses under the same domain, and neither one is associated with my PayPal account. Smelled a rat immediately and didn’t bother to open the attachment, so I won’t pass that part along to you.

Thought you might like to know, especially if you’re counting.

Thanks,

–Eric Pulsifer

So far, no response. But let the record reflect I went through proper channels.

Despite PayPal’s somewhat squirelly reputation (every year it finds itself in the running for the most evil company by the Consumerist website), I’ve never had a problem with them. Never. I once had to send some paperwork to prove I was who I said I was, but everything was resolved quickly by phone after that. While that was inconvenient, I have to give them brownie points for taking that security step.

I also have my account set up to send me an email and a text message when I make a transaction, and this has served me well. I found out within seconds when a restaurant tried to charge my PayPal debit card twice for a meal, so after I complained to the restaurant management, PayPal fixed things on their end without me having to prompt them. I might have scared the PP out of everyone involved, but somebody had to do it.

So from my perspective I have nothing bad to say about PayPal’s customer service. They’ve always been responsive and went that extra mile with me. Maybe I’m just Texas-lucky here, but I’ll take it.

The upshot of this whole mess is, if you receive this kind of note from PayPal, don’t panic. Don’t click on any attachments because it’s not from them and it’s probably malware anyway. And if you a) get it in an email box that’s not associated with your PayPal account or b) you don’t even have a PayPal account — that’s been reported too — then you know someone just tried to pull a fast one on you.

Enjoy your computers. Keep your online experiences fun and/or profitable. Just watch out for the phishing holes; there are sharks aplenty in there.


(For more information on protecting your computer and your information, be sure and check out my sidebar here. I even covered smartphones here, including my favorite 99-cent hack that may keep you from losing your phone.)

 

 

Share